Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: handle server errors after sending GOAWAY #54658

Closed
neild opened this issue Aug 24, 2022 · 10 comments
Closed

net/http: handle server errors after sending GOAWAY #54658

neild opened this issue Aug 24, 2022 · 10 comments
Labels
NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Milestone

Comments

@neild
Copy link
Contributor

neild commented Aug 24, 2022

A closing HTTP/2 server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error. This failure mode could be exploited to cause a denial of service.

Thanks to Bahruz Jabiyev, Tommaso Innocenti, Anthony Gavazzi, Steven Sprecher, and Kaan Onarlioglu for reporting this.

This was a PRIVATE issue for CVE-2022-27664 tracked in http://b/219507101.

Backport issues: #53977 #54376

(I forgot to create the non-backport issue when making the backports, doing so now.)

@dmitshur dmitshur added this to the Go1.20 milestone Aug 24, 2022
@heschi heschi added the NeedsFix The path to resolution is known, but the work has not been done. label Aug 29, 2022
@gopherbot
Copy link

gopherbot commented Sep 6, 2022

Change https://go.dev/cl/428655 mentions this issue: [release-branch.go1.19] net/http: update bundled golang.org/x/net/http2

@gopherbot
Copy link

gopherbot commented Sep 6, 2022

Change https://go.dev/cl/428635 mentions this issue: [release-branch.go1.18] net/http: update bundled golang.org/x/net/http2

gopherbot pushed a commit that referenced this issue Sep 6, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE
track fixes.

Fixes CVE-2022-27664
Fixes #54376
For #54658

Change-Id: I747900a66d7276e7d0bd246cd8cd0da95305c3ca
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554417
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/428655
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
gopherbot pushed a commit that referenced this issue Sep 6, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE
track fixes.

Fixes CVE-2022-27664
Fixes #53977
For #54658.

Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/428635
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
@mknyszek mknyszek changed the title security: fix CVE-2022-27664 net/http: handle server errors after sending GOAWAY Sep 6, 2022
@gopherbot
Copy link

gopherbot commented Sep 6, 2022

Change https://go.dev/cl/428736 mentions this issue: [internal-branch.go1.18-vendor] http2: handle server errors after sending GOAWAY

@gopherbot
Copy link

gopherbot commented Sep 6, 2022

Change https://go.dev/cl/428737 mentions this issue: [internal-branch.go1.19-vendor] http2: handle server errors after sending GOAWAY

@gopherbot
Copy link

gopherbot commented Sep 6, 2022

Change https://go.dev/cl/428717 mentions this issue: all: update vendored golang.org/x/net

gopherbot pushed a commit to golang/net that referenced this issue Sep 7, 2022
…ding GOAWAY

The HTTP/2 server uses serverConn.goAwayCode to track whether a
connection has encountered a fatal error. If an error is encountered
after sending a ErrCodeNo GOAWAY, upgrade goAwayCode to reflect the
error status of the connection.

Fixes an issue where a server connection could hang forever waiting
for a clean shutdown that was preempted by a subsequent fatal error.

Fixes CVE-2022-27664
For golang/go#54658
For golang/go#54376

Change-Id: I165b81ab53176c77a68c42976030499d57bb05d3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1413887
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/net/+/428735
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-on: https://go-review.googlesource.com/c/net/+/428737
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
gopherbot pushed a commit to golang/net that referenced this issue Sep 7, 2022
…ding GOAWAY

The HTTP/2 server uses serverConn.goAwayCode to track whether a
connection has encountered a fatal error. If an error is encountered
after sending a ErrCodeNo GOAWAY, upgrade goAwayCode to reflect the
error status of the connection.

Fixes an issue where a server connection could hang forever waiting
for a clean shutdown that was preempted by a subsequent fatal error.

Fixes CVE-2022-27664
For golang/go#54658
For golang/go#53977

Change-Id: I165b81ab53176c77a68c42976030499d57bb05d3
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1413887
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/net/+/428735
Run-TryBot: Damien Neil <dneil@google.com>
Reviewed-by: Carlos Amedee <carlos@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-on: https://go-review.googlesource.com/c/net/+/428736
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
bradfitz pushed a commit to tailscale/go that referenced this issue Sep 8, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE
track fixes.

Fixes CVE-2022-27664
Fixes golang#54376
For golang#54658

Change-Id: I747900a66d7276e7d0bd246cd8cd0da95305c3ca
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554417
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/428655
Reviewed-by: Carlos Amedee <carlos@golang.org>
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
@tangxi666
Copy link
Contributor

tangxi666 commented Sep 8, 2022

A closing HTTP/2 server connection could hang forever waiting for a clean shutdown that was preempted by a subsequent fatal error.

Hi, I have a question. I don't understand why this would cause a permanent hang. Can you explain this in code? Thank you very much!

@tangxi666
Copy link
Contributor

tangxi666 commented Sep 9, 2022

@neild

danbudris pushed a commit to danbudris/go that referenced this issue Sep 9, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE
track fixes.

Fixes CVE-2022-27664
Fixes golang#53977
For golang#54658.

Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/428635
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>

comment out test skip from cherry pick of 5bc9106
danbudris pushed a commit to danbudris/go that referenced this issue Sep 9, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE
track fixes.

Fixes CVE-2022-27664
Fixes golang#53977
For golang#54658.

Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/428635
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>

comment out test skip from cherry pick of 5bc9106
danbudris pushed a commit to danbudris/go that referenced this issue Sep 12, 2022
Disable cmd/internal/moddeps test, since this update includes PRIVATE
track fixes.

Fixes CVE-2022-27664
Fixes golang#53977
For golang#54658.

Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/428635
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>

comment out test skip from cherry pick of 5bc9106
danbudris pushed a commit to danbudris/go that referenced this issue Sep 14, 2022
Fixes CVE-2022-27664
Fixes golang#53977
For golang#54658.

Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/428635
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
@gkurz
Copy link

gkurz commented Sep 15, 2022

@neild does this affect older versions of go like 1.16 or 1.17 ?

rcrozean pushed a commit to rcrozean/go that referenced this issue Oct 5, 2022
# AWS EKS
Backported To: go-1.15.15-eks
Backported On: Thu, 22 Sept 2022
Backported By: budris@amazon.com
Backported From: release-branch.go1.18
EKS Patch Source Commit: danbudris@6b7d79a
Upstream Source Commit: golang@5bc9106

# Original Information

Fixes CVE-2022-27664
Fixes golang#53977
For golang#54658.

Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/428635
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
rcrozean pushed a commit to rcrozean/go that referenced this issue Oct 12, 2022
# AWS EKS
Backported To: go-1.15.15-eks
Backported On: Thu, 22 Sept 2022
Backported By: budris@amazon.com
Backported From: release-branch.go1.18
EKS Patch Source Commit: danbudris@6b7d79a
Upstream Source Commit: golang@5bc9106

# Original Information

Fixes CVE-2022-27664
Fixes golang#53977
For golang#54658.

Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/428635
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>
rcrozean pushed a commit to rcrozean/go that referenced this issue Oct 12, 2022
# AWS EKS
Backported To: go-1.16.15-eks
Backported On: Tue, 04 Oct 2022
Backported By: budris@amazon.com
Backported From: release-branch.go1.18
EKS Patch Source Commit: danbudris@f17d272
Upstream Source Commit: golang@5bc9106

# Original Information

Disable cmd/internal/moddeps test, since this update includes PRIVATE
track fixes.

Fixes CVE-2022-27664
Fixes golang#53977
For golang#54658.

Change-Id: I84b0b8f61e49e15ef55ef8d738730107a3cf849b
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1554415
Reviewed-by: Roland Shoemaker <bracewell@google.com>
Reviewed-by: Tatiana Bradley <tatianabradley@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/428635
Reviewed-by: Tatiana Bradley <tatiana@golang.org>
Run-TryBot: Michael Knyszek <mknyszek@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Carlos Amedee <carlos@golang.org>

comment out test skip from cherry pick of 5bc9106
@gkurz
Copy link

gkurz commented Nov 2, 2022

@neild does this affect older versions of go like 1.16 or 1.17 ?

Assuming that the thumbs up added by other people mean yes, is there a backport for 1.17 of this fix ? @neild any inputs ?

@seankhliao
Copy link
Member

seankhliao commented Nov 2, 2022

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
NeedsFix The path to resolution is known, but the work has not been done. release-blocker Security
Projects
Status: No status
Development

No branches or pull requests

7 participants